1

Network Forensics and NextGeneration Internet Attacks

Moderated by: Moheeb Rajab

Background singers: Jay and Fabian

2

Agenda

Questions and Critique of Timezones paper Extensions

Network Monitoring (recap)

Post-Mortem Analysis Background and Realms Problem of Identifying Patient zero Detecting Initial hit-list

Next Generation attacks (Omitted from slides) Implications and Challenges?

3

Botnets or Worms ?!

“The authors don’t provide evidence that botnetspropagate in the same way like regular worms”

Opening Sentence:4

3

2

Malware

Botnets

Worms

4

Student questions

5

Data Collection

“The original data collection method itself is worthmentioning as a strength of this paper”

“Can’t someone who sees all the traffic intended for aC&C server do more than simply gather SYN statistics”

“It is not clear to me how do they know that theycaptured the propagation phase in their tests”

6

Measuring Botnet Size

7

SYN Counting

Only looking at the Transport Layer Do we even know what this traffic is?

DHCP’d hosts DHCP will cause SYNs coming from different

addresses.

How does the Tarpit help?

Totally unrelated traffic Scans, exploit attempts, etc.

8

Estimating botnet size

How do we quantify these effects and relatethem back to the claimed 350 K size? Are we counting wrong? If we assume DHCP lease of∆ hours, how do these projections change?

Studied 50 botnets but we have 3 data points.

Fitting the model to the collected data What parameters did they use?

9

Evidence from “Da-list”

423 ( > 4 public IRCds)Feb 1st

11:00 AM EST

449Feb,1st

4:00 AM EST

Non-DNSDNSDate and Time

10

General consensus

Contrary to authors the attackers could use thetimezones effect to their benefit How?

This is old-school, right?: Zhou et al. A first look at P2P worms: Threats and

Defenses. IPTPS, 2005. Botnet Herders can hide behind VoIP. InfoWeek, 2/27/06

Okay, this is getting ridiculous

Cherry-picking: some weird indications …

11

Extensions Can we use this idea for containment?

Query to know if someone is infected How to preserve privacy and anonymity?

See Privacy-Preserving Data Mining. R. Agrawal and R.Srikant. Proceedings of SIGMOD, 2000

Patching rates? More grounded parameters might really affect model How might we get this?

Lifetime?

12

Student Extensions

Is there better ways to track botnets other thanpoisoning DNS? Crazy idea #1: Anti-worm

Crazy idea #2: Statistical responders Better way: Weidong Cui et al. Protocol-Independent

Adaptive Relay of Application Dialog. In NDSS 2006

What would you have liked to see with this data?

13

Using telescopes fornetwork forensics

14

Infer characteristics of the attackPopulation size, demographics, distribution Infection rate, scanning behavior .. etc

Trace the attack back to its origin(s) Identifying patient zero Identifying the hit-list (if any)Reconstructing the infection tree

Forensic (Post-mortem) analysis

15

Worm Evolution Tracking Realms

Graph Reconstruction

Reverse Engineering

Timing Analysis

16

Infection Graph Reconstruction

Proposed a random walk algorithm on the hostscontact graph Provides who infected whom tree

Identifies the worm entry point(s) to a local network oradministrative domain.

Xie et al, “Worm Origin IdentificationUsing Random Moonwalks” IEEESymposium on Security and Privacy, 2005

17

Random Moonwalks A random moonwalk on the host contact graph:

Start with an arbitrarily chosen flow

Pick a next step flow randomly to walk backward in timebackward in time

Observation: epidemic attacks have a treetree structure

Initial causal flows emerge as high frequency flowsInitial causal flows emerge as high frequency flows

T

ΔtΔtΔtΔtΔt

1 11

11

1

ABCDEFGHIJ

4550

30

30

40

38

10 8

41

159

28

18

31

16

20

2

2215

2

3

8

810

9

Slide by: Ed Knightly

Bt1

C

t2

F

t3 t5

t6

D E

H

G

t4

18

Random Moonwalk (Limitations)

Host Contact graph is known. requires extensive logging of host contacts

throughout the network

Only able to reconstruct infection history on alocal scale

Careful selection of parameters to guarantee theconvergence of the algorithms How to address this is left as open problem

19

Outwitting the Witty

Exploits the structure of the random number generatorused by the worm

Careful analysis of the worm payload allows us to reconstructthe infection series

Kumar et al, “Exploiting Underlying Structurefor Detailed Reconstruction of an Internet-scale Event”, IMC 2005

20

Witty Code !

srand(seed) { X ← seed }rand() { X ← X*214013 + 2531011; return X }

main()1. srand(get_tick_count());2. for(i=0;i<20,000;i++)3. dest_ip ← rand()[0..15] || rand()[0..15]4. dest_port ← rand()[0..15]5. packetsize ← 768 + rand()[0..8]6. packetcontents ← top-of-stack7. sendto()8. if(open_physical_disk(rand()[13..15] ))9. write(rand()[0..14] || 0x4e20)10. goto 111. else goto 2

21

Witty Code!

Each Witty packet makes 4 calls to rand()

If first call to rand() returns Xi :

3. dest_ip ← (Xi)[0..15] || (XI+1)[0..15]4. dest_port ← (XI+2)[0..15]

Given top 16 bits of Xi, now brute force all possible lower 16 bits tofind which yield consistent top 16 bits for XI+1 & XI+2

⇒ Single Witty packet suffices to extract infectee’s complete PRNGstate!

22

Interesting Observations

Reveals interesting facts about 700 infectedhosts: Uptime of infected machines

Number of available disks

Bandwidth Connectivity Who-infected whom Existence of hit-list Patient zero (?)

23

Reverse Engineering (Limitations)

Not easily generalizable Needs to be done on a case by case basis

Can be tedious (go back to the paper to see).

There must be an easier way, right?

24

Timing Analysis

Uses blind analysis of inter-arrival times ata network telescope to infer the wormevolution.

Moheeb Rajab et al. “Worm EvolutionTracking via Timing Analysis”, ACMWORM 2005

25

Problem Statement and Goals

To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?

For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?

Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.

26

Evolution Sequence and “Patient Zero”

We distinguish between two processes:

Time to Infect Time elapsed before the worm infects an additional

host

Time to Detect The time interval within which a monitor can

reliably detect at least one scan from a singlenewly infected host

inT

dT

27

Time to Infect and Time to Detect

28

Time to Infect and Time to Detect

Time to infect a new host

−

−−

=

3221

1log

11log

i

iin

sn

nVT

inT

29

Monitor Accuracy

Monitor Detection time, dT

∏=

−∑

−−= =n

i

sTT

e

i

j

jindM

P1

32

1

211

Probability of error

30

andinT dT

Uniform scanning worm:s = 350 scans/sec,V = 12,000Monitor size = /8

Probability of Error

31

Infection Sequence Similarity

Sequence Similarity

( )( )( ) ( )

∑=

→−+

−=

m

i AeBe

AeAB

ii

i

rr

rmY

0 ,,

,

1

1 2 3 4 5 6 7 8 9 m-1 m

1 2 3 4 56 7 89 m-1 m

Actual (A)

Monitor (B)

32

Is this any good?

Two (interesting) cases:

Varying monitor sizes

Non-homogeneous scanning rates

33

Bigger is Better

Larger telescopes provide ahighly similar view to theactual worm evolution

/16 view is completely useless!

34

Effect of non-homogeneous scanning

Scanning rate distribution derivedfrom CAIDA’s dataset

35

So, of what good is this?

Who cares what happens after thefirst 200 infections :-)

36

Problem Statement and Goals

To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?

For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?

Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.

37

What if the worm starts with a hit-list?

Hit-lists are used to Boost initial momentum of the worm (Possibly) hide the identity of patient zero

Trick: Exploit the pattern of inter-arrival timesof unique sources contacts at the monitor toinfer the existence and the size of the hitlist

38

Hit-list detection and size estimation

Pattern Changearound the hit-list

boundariesH = 100

Estimated hit-listH aprox. 8080% in the same /1688% belong to the same institution

Witty Worm (CAIDA)Simulation ( H = 100 )

39

Will we always see this pattern?

Same pattern was noticed also when varying populationsize and with non-homogeneous scanning rates.

H=1,000

40

Why is that?

With a hit-list of size the average worminfection time should be less than

With a /8 monitor there is no h0 that can satisfy thisinequality Of course, for uniform scanning worms

0hinT

( )

( )

−

−−≤

−−

32

32

0

21log

21

1log1log1

1logMhV

α

0/ hTd